Overview

overview

10

Static

static

3

5dd8bbc2a0...fd.dll

windows7-x64

10

5dd8bbc2a0...fd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd.dll

  • Size

    1.2MB

  • MD5

    add78f4a51bc5a019c357ceb81094996

  • SHA1

    1d908cdabfa232ac577ed7ad302a4e774aa472e0

  • SHA256

    5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd

  • SHA512

    83b3429bc0871d28c48db7db15d44fe65e7b02fa9609fd9b357f571059c466743fa355b88163e48d36c7e9c8f16ff03080781feb282a5770d51c8bf5ba545298

  • SSDEEP

    12288:hPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8xy:htKTrsKSKBTSb6DUXWq8x

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2636
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:3008
    • C:\Users\Admin\AppData\Local\sRiWA\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\sRiWA\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2184
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:2192
      • C:\Users\Admin\AppData\Local\KkxPkRK0r\dpnsvr.exe
        C:\Users\Admin\AppData\Local\KkxPkRK0r\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2232
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:2728
        • C:\Users\Admin\AppData\Local\QsZqTr\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\QsZqTr\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KkxPkRK0r\WINMM.dll
          Filesize

          1.2MB

          MD5

          02cdc5b48ca893ade72a878904f0c49f

          SHA1

          a442fa2149c046dbf45189062067ba495e002cb7

          SHA256

          37a8785d050d6fce98d6e2dc5b9dad47270bd929d8f4c2703686fd97f25b8d0a

          SHA512

          1faf7853b7987e92e35490684c743401977d4b5977e06fa4f8e98afa8fa7ca167db1e82e5efc84f57062b0094bb667b535577c7919daeb818ecc6fd37a5189ba

          Download Submit

        • C:\Users\Admin\AppData\Local\QsZqTr\MFC42u.dll
          Filesize

          1.2MB

          MD5

          a1fe661256b5c703a932b68c50cc3f28

          SHA1

          f641aabacacf1e91dd387e5b2ebcfedee715623a

          SHA256

          c8a7c8b6e054cd2efede95d27df480507533f8d221455c12364e88cb9182ea10

          SHA512

          2ba4849716522481d2e136cde5235c172e3c2ad0d376f1982177d4cbc692806a7df8eccee1bd181ad2e1660cb1f2259eaaf8828d196c4fa190c3f6cdb0ba4b30

          Download Submit

        • C:\Users\Admin\AppData\Local\sRiWA\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          54c487210112904e1f9faa18c70948be

          SHA1

          1b42c4487a1a980ab11ceeccb746fd18778cfe4a

          SHA256

          bbc3c55093763c28f24102ea5d996c72797f8133d281a314aa772d32b65b8fde

          SHA512

          34a82c55097b93324f29352ec3f43a7827f1bb7b4b48d3f74a2f0bcc87ed93712721362282db6eb8dc96541e98fd2dfb787fd69274ad1c9d600dcc2b8d799976

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          3e38d98ce01d0b8d79365eb440511ca2

          SHA1

          faac09f93016350ef3b6d85e08d499b1995dee4e

          SHA256

          bc977d4aef4cb6dda5045691e55ef1e6818852aa0ed5dc60ed30c3b2f422050e

          SHA512

          e99814fd57df99c31a05973d5fef71e0b50d9279f9dcc9d4a749d35b1f4294f5ba2d8e1516fd477490a0480fd2c3b0de62090dee048cc724342f7cce238317bb

          Download Submit

        • \Users\Admin\AppData\Local\KkxPkRK0r\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\QsZqTr\FXSCOVER.exe
          Filesize

          261KB

          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit

        • \Users\Admin\AppData\Local\sRiWA\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • memory/1244-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-3-0x0000000076E56000-0x0000000076E57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-23-0x0000000002520000-0x0000000002527000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-26-0x00000000771F0000-0x00000000771F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-25-0x00000000771C0000-0x00000000771C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-4-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-45-0x0000000076E56000-0x0000000076E57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2184-58-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2184-54-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2184-53-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2232-71-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-70-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2232-75-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-44-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2636-0-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2904-87-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2904-91-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download